PEAP and EAP-TLS on Server 2008 and Cisco WLC

Hi shrry8,

The trusted certificate is your CA but what about your client certificate? Did you install it on your laptop? When you try to connect with EAP-TLS, it’ll prompt you what client certificate it should select for client authentication.

Rene

Yes, its showing and I am selecting CA certificate on client

Even tried PEAP, after login in its giving the same error and i don’t know what is wrong with my test setup.
my email is shrry8@gmail.com if you can drop your email so i can send you the screenshots of my configuration

Hi Rene,

I would like to play around with setting up this whole lab. My question is: What kind of Wireless Lan Controller I can buy without breaking the bank? Can I use my netgear wireless AP to be control by the Cisco WLC? or I have the but a cisco AP?
Please advise.

Hi Alfredo,

If you just want to practice this setup then you really don’t need a fancy wireless controller and access points. Most wireless routers (even a cheap netgear) will support WPA(2)-Enterprise which is what we are doing here. Most of the work is configuring the Windows servers and the wireless clients.

I would only buy a Wireless controller and access point(s) if you want to learn more about Cisco wireless and/or how to implement wireless with multiple access points. If you want to learn more about wireless in general (802.11) then you can learn a lot even without buying hardware.

If you want to learn about Cisco Wireless then I would suggest the WLC 2504. Those aren’t too expensive and you can get the latest updates for them. If you buy an older one like the WLC 2106 then you might run into issues because you can’t get the latest updates for those anymore. I’d have to look into a good access point if you are interested…

Rene

Hi Rene

The tutorials help me a lot with Windows enviorment thanks, but now I have the following issues I hope you can help me,

The topology is

Two servers(2012R2) with NPS(they are in two tier CA authority rootCA->subCA->userCA)
Scalance Accespoints W788(pointing to the two NPS servers)
Linux embedded box(supplicants)

The problem is when the linux box connects to the NPS server, I get in the NPS sever Event ID 6273 Reason Code 48 y tried to modified network policys but no luck, the linux box is configured like this in the wpa_supplicant.conf (I still dont put the certificate in the linux because i want to first try this way):
network={
ssid=“SSID”
key_mgmt=WPA_EAP
eap=PEAP
phase2=“auth=MSCHAPV2”
identity=“user”
password=“pass”
}

Another question ¿do I have to import certificate like you did in the android device? in this case ¿it will be a user certificate and the subCA certificate?

Thanks
Regards

Hi Eugenio,

You are welcome. Event ID 6273 Code 48 normally means that there was no match with any of your NPS policies. I would start by checking those, see if you forgot anything…make sure the incoming request matches your policy.

Your wpa_supplicant.conf file looks fine, if you use PEAP then you won’t need any client certificates. The client will validate the server certificate but you can choose to ignore this.

Rene

19 posts were merged into an existing topic: PEAP and EAP-TLS on Server 2008 and Cisco WLC

Hi Rene
Under 802.1x settings why do we need to select authentication mode
What does it mean by user authentication or ‘user or computer authentication’
Thanks for the nice tutorial

User authentication is for users, someone that can type in a username or password. Computer (machine) authentication can be used for things like printers or access points. Also in windows it’s possible to authenticate based on the computer name.

Hi,
The only differnces with PEAP and EAP-TLS is , first one using user identity for authentication and the other one uses certificate for authentication ? .
Thanks

Hi Sims,

That is the main difference yes. PEAP uses username/password for user authentication and EAP-TLS uses client certificates for user authentication.

Rene

Thanks for the post Rene. I’m using a Cisco AIR-AP1231G-A-K9 as my AP. Are you able to show the steps required to set up the AP from the CLI please? I don’t use any of the GUI tools to do my configurations on my Cisco gear. I find them a PITA to set up as they require certain versions of Java and IE to run and the grief is not worth it. It is also more challenging to use the CLI and I believe I get a better understanding using it.

I think I may have worked it out. I can access the DC via wireless and log on to the domain.
I’ve included the config for my standalone AP.

AP1231.1#term length 0 
AP1231.1#terminal monitor 
AP1231.1#sh run 
Building configuration...

Current configuration : 4936 bytes
!
! Last configuration change at 14:04:19 Sydney Sun Apr 3 2016 by admin
! NVRAM config last updated at 14:04:21 Sydney Sun Apr 3 2016 by admin
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
!
hostname AP1231.1
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
clock timezone Sydney 10
clock summer-time sydney date Oct 4 2015 2:00 Apr 3 2016 2:00
ip subnet-zero
ip domain name bde.local
ip name-server 8.8.8.8
ip name-server 103.26.62.218
!
!
ip dhcp-server 192.168.1.100
aaa new-model
!
!
aaa group server radius rad_eap
 server 192.168.1.61 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local 
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
dot11 ssid bde.1231.1.ap
   authentication open eap eap_methods 
   authentication network-eap eap_methods 
   authentication key-management wpa
   guest-mode
!
dot11 network-map
dot11 arp-cache optional
!
crypto pki trustpoint TP-self-signed-2161280379
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2161280379
 revocation-check none
 rsakeypair TP-self-signed-2161280379
!
!
crypto ca certificate chain TP-self-signed-2161280379
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 32313631 32383033 3739301E 170D3032 30333031 30303032 
  35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31363132 
  38303337 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100D200 7EB46FAF FF6550DD 2B05EA5B A9D9C908 23F8A4BE 007C3A74 218D9345 
  6CEE4181 1CB01978 B4231121 181487F8 2295C011 C058A00C CD515B6D F2395440 
  5CBF49BA 256E4B63 D21C0900 99BADDBF 9A4999D7 E79DB36E B12373C1 820FC392 
  F0E6BD94 AC40C44E C865451B 5644C797 635B068C AFD372A2 AA8FE35C D08CE0FC 
  5FAD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D2304 18301680 144CFCDC 3ACAA344 42D767E9 EB41964B 94D413B1 E4301D06 
  03551D0E 04160414 4CFCDC3A CAA34442 D767E9EB 41964B94 D413B1E4 300D0609 
  2A864886 F70D0101 04050003 81810057 CAD74BC2 D40645F7 0BE40DBC 60D02692 
  73481106 4F946427 2191BB84 15950302 B0003F1D 3A244AC8 9A524E13 089F9AB9 
  592933C1 DF26BD06 7BC7CEA6 7A0D03FC 2B1F294B F592CA34 7855E87C 58CBFB73 
  64126E4B 4EECCE5C 69709CE6 738E91D9 79BDA9F3 B1C550B9 001F7D9C 177B0FF8 
  6314B16D 67666FBF 08279EB2 12D7D6
  quit
username admin privilege 15 view root password 7 xxxxxxxxxxxxxxxx
!
bridge irb
!
!
interface Loopback0
 ip address 1.2.3.1 255.255.255.255
 no ip route-cache
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm 
 !
 ssid bde.1231.1.ap
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 speed 100
 full-duplex
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 hold-queue 160 in
!
interface BVI1
 ip address 192.168.1.130 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.1.100
ip http server
ip http secure-server
ip http help-path http://www.google.com.au
ip radius source-interface BVI1 
!
radius-server local
  no authentication leap
  no authentication mac
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.61 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
radius-server retransmit 5
radius-server timeout 10
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 terminal-type exit
 length 0
 width 250
 escape-character 3
!
sntp server 10.1.1.1
end

AP1231.1#

Hi Matt,

On the Cisco APs it’s best to work with the CLI. Their web interface is a pain to work with. The GUI of the Cisco wireless LAN controllers is very nice though.

I took a quick look at your config and it’s looking good. Is everything working as expected?

Rene

Hi Rene, I am in the process of creating a RADIUS server for wirless lan users to access the network as well. The problem is that I’m using stand alone Cisco AIR-AP1131AG-N-K9 and cisco AIR-AP1252AG-N-K9 access points instead of WLC controlled APs. Do you have instructions on how to set up the RADIUS server to accomodate these APs? Or can the same setup as shown above be used for both types? Also I use the CLI rather than the web based setup tools and it can be difficult translating the GUI into the CLI commands.

I also want to incorporate router SSH access on the RADIUS server so it verifies the user before he can gain privileged access. Do you have instructions for this?

Cheers,

Matt.

Hi Matt,

I do have an example for SSH with a RADIUS server. Here’s a simple example for freeradius.

First, edit /etc/freeradius/clients.conf and add the following:

client 192.168.1.1 {
secret = MY_KEY
nastype = cisco
shortname = SW1
}

The switch is using IP address 192.168.1.1 and the secret key between freeradius and the switch will be “MY_KEY”.

And add the following to the /etc/freeradius/users file:

MY_USER Cleartext-Password := "MY_PASSWORD"
         Service-Type = NAS-Prompt-User,
         Cisco-AVPair = "shell:priv-lvl=15"

On your switch (or router) you need to add the following commands, I’m assuming you already configured SSH:

aaa new-model
aaa authentication login SSH group radius local
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key MY_KEY

line vty 0 4
 login authentication SSH

Once you SSH into the switch, it will check the radius server. If it fails, it will fallback to local authentication.

The configuration on the APs is a bit different. Cisco has an example that should be 99% similar:

Rene

Hi,
PEAP using MS-CHAPv2 ,What does it mean ?
Thanks

Hi Sims,

PEAP is the mechanism that builds a secure TLS tunnel. Within this tunnel, a device authenticates itself. MS-CHAPv2 is a common authentication method.

Rene

19 posts were merged into an existing topic: PEAP and EAP-TLS on Server 2008 and Cisco WLC